LinumIQ/linumiq-invoice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: restrict installs to ALLOWED_SHOP and remove generic landing form

Browse Source
This commit is contained in:
Gerhard Scheikl
2026-05-09 18:01:14 +02:00
parent ecd2b00985
commit 1ec4faaac5
4 changed files with 61 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/routes/_index/route.tsx
+20 -35
View File
@@ -1,56 +1,41 @@
import type { LoaderFunctionArgs } from "react-router"; import type { LoaderFunctionArgs } from "react-router";
import { redirect, Form, useLoaderData } from "react-router"; import { redirect, useLoaderData } from "react-router";
import { login } from "../../shopify.server";
import styles from "./styles.module.css"; import styles from "./styles.module.css";
export const loader = async ({ request }: LoaderFunctionArgs) => { export const loader = async ({ request }: LoaderFunctionArgs) => {
const url = new URL(request.url); const url = new URL(request.url);
const allowedShop = process.env.ALLOWED_SHOP?.trim();
const shop = url.searchParams.get("shop");
if (url.searchParams.get("shop")) { // If a shop param is present and it's the allow-listed merchant, send them
throw redirect(`/app?${url.searchParams.toString()}`); // straight into the embedded app. Any other shop is rejected so this URL
// can't be used to install the app on arbitrary stores.
if (shop) {
if (!allowedShop || shop.toLowerCase() === allowedShop.toLowerCase()) {
throw redirect(`/app?${url.searchParams.toString()}`);
}
throw new Response("This app is private and not available for installation.", { status: 403 });
} }
return { showForm: Boolean(login) }; return { allowedShop: allowedShop ?? null };
}; };
export default function App() { export default function App() {
const { showForm } = useLoaderData<typeof loader>(); const { allowedShop } = useLoaderData<typeof loader>();
return ( return (
<div className={styles.index}> <div className={styles.index}>
<div className={styles.content}> <div className={styles.content}>
<h1 className={styles.heading}>A short heading about [your app]</h1> <h1 className={styles.heading}>LinumIQ Invoice</h1>
<p className={styles.text}> <p className={styles.text}>
A tagline about [your app] that describes your value proposition. Private Shopify app for issuing GoBD-compliant PDF invoices.
</p>
<p className={styles.text}>
{allowedShop
? `This installation is reserved for ${allowedShop}. Open the app from the Shopify admin.`
: "Open the app from the Shopify admin."}
</p> </p>
{showForm && (
<Form className={styles.form} method="post" action="/auth/login">
<label className={styles.label}>
<span>Shop domain</span>
<input className={styles.input} type="text" name="shop" />
<span>e.g: my-shop-domain.myshopify.com</span>
</label>
<button className={styles.button} type="submit">
Log in
</button>
</Form>
)}
<ul className={styles.list}>
<li>
<strong>Product feature</strong>. Some detail about your feature and
its benefit to your customer.
</li>
<li>
<strong>Product feature</strong>. Some detail about your feature and
its benefit to your customer.
</li>
<li>
<strong>Product feature</strong>. Some detail about your feature and
its benefit to your customer.
</li>
</ul>
</div> </div>
</div> </div>
); );
app/routes/auth.login/route.tsx
+35 -2
View File
@@ -6,13 +6,46 @@ import { Form, useActionData, useLoaderData } from "react-router";
import { login } from "../../shopify.server"; import { login } from "../../shopify.server";
import { loginErrorMessage } from "./error.server"; import { loginErrorMessage } from "./error.server";
function enforceAllowedShop(request: Request) {
const allowedShop = process.env.ALLOWED_SHOP?.trim();
if (!allowedShop) return;
const url = new URL(request.url);
const fromQuery = url.searchParams.get("shop");
let fromBody: string | null = null;
// Action requests submit the shop in the form body; we re-read it here.
// (request.formData() can only be consumed once, so we clone.)
if (request.method === "POST") {
// We can't await the clone here without making this async; instead the
// caller awaits the actual action and we re-validate the redirect target
// via the query string check above. The action wrapper below also runs
// a body check before delegating to `login()`.
}
if (fromQuery && fromQuery.toLowerCase() !== allowedShop.toLowerCase() && !fromBody) {
throw new Response("This app is private.", { status: 403 });
}
}
async function enforceAllowedShopFromBody(request: Request) {
const allowedShop = process.env.ALLOWED_SHOP?.trim();
if (!allowedShop) return request;
const cloned = request.clone();
const form = await cloned.formData();
const shop = (form.get("shop") ?? "").toString().trim().toLowerCase();
if (shop && shop !== allowedShop.toLowerCase()) {
throw new Response("This app is private.", { status: 403 });
}
return request;
}
export const loader = async ({ request }: LoaderFunctionArgs) => { export const loader = async ({ request }: LoaderFunctionArgs) => {
enforceAllowedShop(request);
const errors = loginErrorMessage(await login(request)); const errors = loginErrorMessage(await login(request));
return { errors }; return { errors, allowedShop: process.env.ALLOWED_SHOP ?? null };
}; };
export const action = async ({ request }: ActionFunctionArgs) => { export const action = async ({ request }: ActionFunctionArgs) => {
await enforceAllowedShopFromBody(request);
const errors = loginErrorMessage(await login(request)); const errors = loginErrorMessage(await login(request));
return { return {
@@ -23,7 +56,7 @@ export const action = async ({ request }: ActionFunctionArgs) => {
export default function Auth() { export default function Auth() {
const loaderData = useLoaderData<typeof loader>(); const loaderData = useLoaderData<typeof loader>();
const actionData = useActionData<typeof action>(); const actionData = useActionData<typeof action>();
const [shop, setShop] = useState(""); const [shop, setShop] = useState(loaderData.allowedShop ?? "");
const { errors } = actionData || loaderData; const { errors } = actionData || loaderData;
return ( return (
deploy/.env.dev.example
+3
View File
@@ -10,6 +10,9 @@ SHOPIFY_API_SECRET=REPLACE_ME
# Public URL Shopify uses for OAuth, webhooks and admin embedding. Must match shopify.app.dev.toml. # Public URL Shopify uses for OAuth, webhooks and admin embedding. Must match shopify.app.dev.toml.
SHOPIFY_APP_URL=https://invoice-app-dev.linumiq.com SHOPIFY_APP_URL=https://invoice-app-dev.linumiq.com
# Single-merchant lock-in: only this myshopify domain may install the app.
ALLOWED_SHOP=linumiq-dev.myshopify.com
# Must match `scopes` in shopify.app.dev.toml. # Must match `scopes` in shopify.app.dev.toml.
SCOPES=read_orders,write_orders,read_all_orders,read_customers,read_companies,read_files,write_files SCOPES=read_orders,write_orders,read_all_orders,read_customers,read_companies,read_files,write_files
deploy/.env.prod.example
+3
View File
@@ -10,6 +10,9 @@ SHOPIFY_API_SECRET=REPLACE_ME
# Public URL Shopify uses for OAuth, webhooks and admin embedding. Must match shopify.app.prod.toml. # Public URL Shopify uses for OAuth, webhooks and admin embedding. Must match shopify.app.prod.toml.
SHOPIFY_APP_URL=https://invoice-app.linumiq.com SHOPIFY_APP_URL=https://invoice-app.linumiq.com
# Single-merchant lock-in: only this myshopify domain may install the app.
ALLOWED_SHOP=5aiizq-ti.myshopify.com
# Must match `scopes` in shopify.app.prod.toml. # Must match `scopes` in shopify.app.prod.toml.
SCOPES=read_orders,write_orders,read_all_orders,read_customers,read_companies,read_files,write_files SCOPES=read_orders,write_orders,read_all_orders,read_customers,read_companies,read_files,write_files